ISC2 CSSLP - ISC2 Certified Secure Software Lifecycle Professional Certification Exam
Question #1 (Topic: Demo Questions)
You work as a Network Auditor for Net Perfect Inc. The company has a Windows-based network. While auditing the company's network, you are facing problems in searching the faults and other entities that belong to it. Which of the following risks may occur due to the existence of these problems?
Correct Answer: C
Explanation:
Detection risks are the risks that an auditor will not be able to find what they are looking to detect.
Hence, it becomes tedious to report
negative results when material conditions (faults) actually exist. Detection risk includes two types of
risk:
Sampling risk: This risk occurs when an auditor falsely accepts or erroneously rejects an audit
sample.
Nonsampling risk: This risk occurs when an auditor fails to detect a condition because of not applying
the appropriate procedure or
using procedures inconsistent with the audit objectives (detection faults).
Answer A is incorrect. Residual risk is the risk or danger of an action or an event, a method or a
(technical) process that, although being
abreast with science, still conceives these dangers, even if all theoretically possible safety measures
would be applied (scientifically
conceivable measures).
The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats
vulnerability). In the economic context,
residual means "the quantity left over at the end of a process; a remainder".
Answer D is incorrect. Inherent risk, in auditing, is the risk that the account or section being audited
is materially misstated without
considering internal controls due to error or fraud. The assessment of inherent risk depends on the
professional judgment of the auditor, and
it is done after assessing the business environment of the entity being audited.
Answer B is incorrect. A secondary risk is a risk that arises as a straight consequence of implementing
a risk response. The secondary
risk is an outcome of dealing with the original risk. Secondary risks are not as rigorous or important
as primary risks, but can turn out to be so if not estimated and planned properly.
Question #2 (Topic: Demo Questions)
Which of the following statements reflect the ' Code of Ethics Canons ' in the ' (ISC)2 Code of Ethics ' ? Each correct answer represents a complete solution. Choose all that apply.
Correct Answer: A, C, D
Explanation:
The Code of Ethics Canons in (ISC)2 code of ethics are as follows: Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.
Question #3 (Topic: Demo Questions)
Which of the following security design principles supports comprehensive and simple design and implementation of protection mechanisms, so that an unintended access path does not exist or can be readily identified and eliminated?
Correct Answer: B
Explanation:
The economy of mechanism is a security design principle, which supports simple and comprehensive design and implementation of protection mechanisms, so that an unintended access path does not exist or can be readily identified and eliminated. Answer: D is incorrect. Separation of duties defines that the completion of a specific sensitivity activity or access to sensitive object depends on the satisfaction of multiple conditions. Answer: C is incorrect. Psychological acceptability defines the ease of use and intuitiveness of the user interface that controls and interacts with the access control mechanisms. Answer: A is incorrect. Least privilege maintains that an individual, process, or other type of entity should be given the minimum privileges and resources for the minimum period of time required to complete a task.
Question #4 (Topic: Demo Questions)
Mark is the project manager of the NHQ project in StarTech Inc. The project has an asset valued at $195,000 and is subjected to an exposure factor of 35 percent. What will be the Single Loss Expectancy of the project?
Correct Answer: A
Explanation:
The Single Loss Expectancy (SLE) of this project will be $68,250. Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows: Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor is represented in the impact of the risk over the asset, or percentage of asset lost. As an example, if the Asset Value is reduced two thirds, the exposure factor value is .66. If the asset is completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed. Here, it is as follows:
SLE = Asset Value * Exposure Factor
= 195,000 * 0.35
= $68,250
Answer: B, C, and D are incorrect. These are not valid SLE ' s for this project.
Question #5 (Topic: Demo Questions)
Which of the following tiers addresses risks from an information system perspective?
Correct Answer: B
Explanation: